A customer traced a bug in their program back to the fact that somebody passed a stack buffer to a function that operates asynchronously. Something like this: <\/p>\n
\n\/\/ This function sends the buffer to the destination\n\/\/ asynchronously. When the send completes, the completion\n\/\/ handler is invoked.\nHRESULT SendDataAsync(void *buffer, size_t bufferSize,\n ITransferCompletion* completion);\n\nclass ColorSender : public ITransferCompletion\n{\n...\n};\n\n\/\/ Code in italics is wrong\nHRESULT ColorSender::SendColor()\n{\n COLORREF color = GetColorToSend();\n return SendDataAsync(&color, sizeof(color), this);\n}<\/i>\n<\/pre>\nThis bug led to the destination sometimes receiving corrupted data because it was a race between the stack variable being reused for something else and the data transport code copying the buffer into the transport channel. In this particular case, the customer fixed the problem by making the color<\/code> local variable a member of the ColorSender<\/code> class, because the ColorSender<\/code> object itself must remain valid for the lifetime of the transfer seeing as it is the completion handler. (We’re using the principle that code is mostly correct<\/a>.) <\/p>\nThe customer wanted to add some debugging code to the SendDataAsync<\/code> function so that it can assert that the buffer is not on the stack. The customer understands that this may be overly restrictive, and would not be appropriate for a function with a broad audience, but this function is used only within their application, so being extra-restrictive is probably okay.¹ <\/p>\nOn Windows 8 and higher, the customer can use the GetCurrentThreadStackLimits<\/code> function to get the bounds of the current thread’s stack and use that to verify that the buffer pointer is not in that range. (Since this is just for debugging purposes, they can skip the test if running on older versions of Windows, and hope that their testing on Windows 8 will catch the problem.) <\/p>\n¹ If it turns out that the check is too restrictive, they could create two functions. The first is called SendPossiblyStackDataAsync<\/code> that does no validation, and the second is SendDataAsync<\/code> which does the initial validation that the buffer is not on the stack, and then calls SendPossiblyStackDataAsync<\/code>. Most callers use SendDataAsync<\/code>, but if you’re in a special case where you are sending stack data and you know that you won’t return from the function until the completion occurs, then you can use SendPossiblyStackDataAsync<\/code>. The team could have a rule that equires all uses of SendPossiblyStackDataAsync<\/code> to undergo a special review. <\/p>\n